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Evidence of signatures associated with cryptographic modes of operation is established. Motivated 
by some analogies between cryptographic and dynamical systems, in particular with chaos theory, we 
propose an algorithm based on Lyapunov exponents of discrete dynamical systems to estimate the 
divergence among ciphertexts as the encryption algorithm is applied iteratively. The results allow 
to distinguish among six modes of operation, namely ECB, CBC, OFB, CFB, CTR and PCBC 
using DES, IDEA, TEA and XTEA block ciphers of 64 bits, as well as AES, RC6, Twofish, Seed, 

Serpent and Camellia block ciphers of 128 bits. Furthermore, the proposed methodology enables a 
classification of modes of operation of cryptographic systems according to their strength. 


I. INTRODUCTION 

The propagation and continuous flow of information 
are of utter importance for the development of stable 
economies throughout the world as they are a prerequi¬ 
site for successful business transactions, short- and long- 
range communication, and so on [T]. Often this infor¬ 
mation has to be encrypted in such a way that it can 
be safely transferred between the sender and recipient 
without allowing others to read the information that 
is present in such an encrypted message j2j. On the 
other hand, malicious persons and organizations, but also 
governmental organizations, are continuously striving to 
break the key with which messages were encrypted be¬ 
cause this might enable them to get those pieces of in¬ 
formation that are needed to achieve their criminal, pro¬ 
tective, or other goals la m. It is probably due to the 
impact of Turing’s success in breaking the Enigma that 
humanity became aware of the importance of cryptogra¬ 
phy in general, and the vulnerability of ciphers more in 
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particular [5], 

Since this major breakthrough, the functioning of 
the industrial, financial and public sector has become 
strongly dependent on the advances of cryptography. For 
instance, while the availability of worldwide networks has 
enabled rapid dissemination of information, it has also 
stimulated cryptographic innovations because a signifi¬ 
cant share of this information may only be available to a 
few parties. In this manner, technological progress dur¬ 
ing the last decades has increased the need for secured 
communication and transactions, information shielding, 
and so on Em¬ 
in the last few decades, modern cryptography replaced 
mechanical schemes with new computing models. This 
modern focus influenced the classical design of ciphers 
far beyond the original purpose. Nowadays, there are 
two class of cryptographic algorithms depending on the 
key: symmetric and asymmetric. Symmetric encryption 
algorithms use the same key for both encryption of plain¬ 
text and decryption of ciphertext. This class of algorithm 
is also divided into two categories: stream ciphers and 
block ciphers. Block ciphers have gained wide popular¬ 
ity since the introduction of the first adopted encryp¬ 
tion: The Data Encryption Standard (DES) [6], in the 
mid-1970s, yet nowadays this cipher is considered prone 
to brute force attacks. To overcome this shortcoming 
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the International Data Encryption Algorithm (IDEA) [7] 
was designed in 1991 to replace DES. Ever since, there 
has been a pursuit for the development of new algo¬ 
rithms that meet the rising security expectations. In 
1997, the National Institute of Standards and Technol¬ 
ogy (NIST) 0 selected the official Advanced Encryption 
Standard (AES) among many competitors, namely Ser¬ 
pent 0, Twofish [TO], RC 6 [II], Rijndael [T2], etc. 

To date, block ciphers are the most important ele¬ 
ments in many cryptographic systems [3]. A block ci¬ 
pher breaks a message into blocks of elements (bits) and 
then encrypts one block ( plaintext ) at a time producing 
its corresponding output block ( ciphertext ). However, a 
block cipher by itself allows for the encryption of only 
one block, such that it is recommended to use a mode 
of operation in conjunction Il3j . This mode of opera¬ 
tion specifies a mechanism to improve the corresponding 
block cipher, while encrypting all of the blocks, one by 
one, as it goes along. 

Motivated by the analogies between cryptographic and 
dynamical systems, on the one hand, and the lack of a 
means to discriminate between different modes of opera¬ 
tion that can be used to encrypt a message with a block 
cipher using a single key, on the other hand, we demon¬ 
strate in this paper how Lyapunov exponents can be re¬ 
lied upon for tackling this problem. More specifically, 
by contemplating the whole of a cipher, ciphertext and 
key as an utter discrete dynamical system, i.e., a cellular 
automaton (CA), and by resorting to the notion of Lya¬ 
punov exponents as they have been conceived for such 
systems mm, we show how these measures can be ex¬ 
ploited to identify the mode of operation that was used 
during the encryption process. 

Although the cryptographic process of encrypting and 
decrypting information does not constitute a dynamical 
system as such, it has been reported that it is possible 
to draw parallels between cryptographic and dynamical 
systems |16HT9l . Hence, drawing upon such parallels, we 
have a means to exploit similar tools as the ones that have 
been conceived in the framework of dynamical systems in 
order to characterize cryptographic systems. Taking into 
account that the stability of a dynamical system is gen¬ 
erally acknowledged as its main characteristic because it 
gives insight into its intrinsic nature [20) HI] , it is natural 
to verify whether the dynamical systems viewpoint of a 
cryptographic system allows for a similar notion in order 
to better understand the latter. An exploration of this 
is further motivated by the fact that several researchers 
have noticed a close resemblance between a cryptographic 
system on the one hand, and a chaotic system, on the 
other hand [22H25] , and the large number of chaos-based 
cryptosystems mm- 

Classically, the stability of a dynamical system is as¬ 
sessed by computing its so-called largest Lyapunov expo¬ 
nent that quantifies how it behaves if it is evolved from 
two different but close initial conditions [20] . Either the 
corresponding phase space trajectories diverge or con¬ 
verge in which case we refer to the system as unstable 


or asymptotically stable, respectively, or the system is 
conservative, which means that the initial separation re¬ 
mains. 

As the fields of cryptography and dynamical systems 
are not yet strongly interwoven, the basic definitions and 
concepts that relate to those systems and that are of 
interest within the framework of this paper are presented 
in Section [XT] while the dynamical systems viewpoint on 
cryptographic systems is presented in Section |Hl| together 
with the proposed method for identifying the underlying 
mode of operation. Finally, the strengths of the proposed 
method are illustrated and discussed in Section IV by 
means of computer experiments. 


II. PRELIMINARIES 

In this section we introduce the specificities of both 
cryptographic and dynamical systems that are indispens¬ 
able for a clear understanding this paper. 


A. Block ciphers and modes of operation 

Classically, an encryption system encloses three major 
components, namely a cipher, a key, and finally, a cipher- 
text. The former constitutes a sequence of instructions 
that must be executed in order to encrypt a given plain¬ 
text, which may be envisaged as a sequence of N bits, 
such that it can be represented as a Boolean vector P of 
length N. The result of this encryption process using a 
key K , which is a sequence of k bits, is a so-called cipher- 
text, which may be represented in a similar fashion as a 
Boolean vector C of length N |2j. 

Of course, the real plaintext size varies and is mostly 
different from the length of the blocks for which a block 
cipher is designed. Consequently, common ciphers can¬ 
not be applied directly for the encryption of arbitrary- 
length plaintext [20. In order to overcome this issue, 
so-called block ciphers have been designed and imple¬ 
mented. A block cipher slices the plaintext of length N 
into b blocks of n bits, after which each of these blocks is 
encrypted/decrypted by a block cipher, denoted as Ek 
and E^ 1 , respectively. Mathematically, the encryption 
of a plaintext P = (Pi, P 2 ,.. ., Pb) of length n into a 
ciphertext of the same length can be formalized as C = 
E(K, P) = E k ( P), where E : {0, l} k x {0,1}” -A {0, l} n . 
If the length N of the plaintext is not a whole multiple 
of b , additional bits are padded to the last block of the 
plaintext. 

These block ciphers encrypt a plaintext in accordance 
with a well-defined procedure, which is commonly re¬ 
ferred to as the mode of operation of a block cipher. A 
block cipher encrypts one block at a time, and it is the 
mode of operation that allows a block cipher to encrypt 
blocks consecutively in a secure way. Most of them use 
an initialization vector (IV), denoted 7 , which adds ran¬ 
domness to the encryption process [3j. For instance, the 
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counter mode uses a special method for generating coun¬ 
ters in order to guarantee that each block in the sequence 
is different from every other block [131 . 

From the many block ciphers currently available, we 
will focus on the well-studied ones, being DES [B] (n = 
64, k = 56), IDEA [7], TEA [29] and XTEA [30] (n = 64, 
k = 128), as well as AES [15], RC 6 [IT], Twofish fTDj, Ser¬ 
pent [5], Seed [TT] and Camellia [35] (n = 128, k = 128). 
The specifications of these block ciphers and the modes 
of operation are public, so they can be implemented [15] . 

In 2001 the NIST compiled and recommended five 
modes of operation —most of them were developed 30 
years ago—to be used with a block cipher, namely 
the Electronic Codebook (ECB), Cipher Block Chain¬ 
ing (CBC), Cipher Feedback (CFB), Output Feedback 
(OFB), and Counter (CTR) modes [13]. In addition to 
these NIST modes, there are many others, among which 
the Propagating Cipher-Block Chaining (PCBC) [3] 
mode will be considered in this paper. 

Mathematically, the encryption of an arbitrary-length 
plaintext by means of a block cipher in combination with 
the ECB mode of operation can be formulated as: 

Cj = E K (Pj), j = 1,2,... ,b, (1) 

where Cj represents the encrypted counterpart of the j- 
th block of plaintext Pj . Similarly, the formalism for the 
CBC mode is given by 

Cj = E K (Cj-i © Pj), j = 1,2,... , 6 , (2) 

where © is the mod 2 operator and Cq = 7 . For the OFB 
mode one may write: 

C j = P j ®O j - 1 , j = 1,2,... ,b, (3) 

where Oj = EK(Oj-i) with Oq = Ex(l) and 7 is ran¬ 
domly selected from {0,1}". Table [i] lists the formulas 
for the other modes of operation that are considered in 
this paper. 

In the remainder, a mode of operation of a block ci¬ 
pher is denoted as M Ek : { 0 , 1 }^ —> { 0 , 1 }^, which 
maps a given plaintext P of length IV to a correspond¬ 
ing ciphertext C of equal length, so that we may write 
C = Me k (P)- In order to clarify the functioning of 
a cryptographic system, we show in Fig. [T] a crypto¬ 
graphic system with 6 = 2 blocks of n = 3 bits that 


TABLE I: Mathematical representation of the CFB, 
CTR and PCBC modes. 


CFB 

CTR 

PCBC 

C j = P j <8E K (C j - 1 ) 

C± = P 1 ®E k (i) 

Cj = Pj ® Oj 

Oj = E K (cij) 

Qj = rand(o!j_i) 

<*i=7 

Cj = e k (Pj e Pj -1 e Cj- 1) 

Ci = E K (Pi®'j) 


uses the CBC mode of operation. We consider an ex¬ 
emplary plaintext P = ( Pi,P 2 ), for which it holds that 
Pi = 010, P 2 = 001 and 7 = 101. Note that the outputs 
generated by Ek are chosen only for illustration, e.g., 
Ci = Ek{Co®Pi) = Ek{ HI) = 100. We can see clearly 
that a single application of the function Me k consists of 
b applications of Ek since the latter has to be applied to 
each of the plaintext blocks Pj in order to construct the 
ciphertext C. 


t = 0 

t = 1 

Co = 7 = [ 101 ] 

Cl = Ek (101 0 010) = 100 

P = [ 010 , 001 ] 

Ci = Ek (100 ® 001) = 000 


c = Me k ( P) = [100,000] 


FIG. 1: Example of the CBC mode of operation with 
6 = 2 blocks, n = 3 bits and block cipher Ek- 


B. Analogies between cryptographic and 
dynamical systems 

Although cryptographic systems, as the ones given by 
Eqs. 0 -([3]) and those listed in Table[IJ do not constitute 
dynamical systems, we can draw some parallels between 
both types of system, which might enable us to gain a 
deeper understanding of the former [Mini[22][24]. More 
specifically, we may envisage such a cryptographic system 
as a one-dimensional CA, which can be represented by 
means of a triplet (T, S', d'). The first element of this 
triplet refers to a one-dimensional array of ‘cells’ Ci , each 
of which bears one of the states enclosed in the finite 
set S = {0,1}, and which are updated at discrete time 
steps by means of a global transition function 'F. The 
state of the i-th cell in T at the t -th time step will be 
denoted as s(cj,t). Essentially, upon putting T = Me k , 
a mode of operation Me k may be envisaged as such a 
global transition function. 

Finally, we identify a given plaintext P with s(-,0) in 
such a way that the i -th bit of the _ 7 -t.l 1 block in P is 
denoted as s(c},0). The transition function Me k may 
be applied iteratively so that a distinct ciphertext C* is 
evolved at every time step t. As such, a cryptographic 
system can be transformed into a CA, and we may write 

s(-,t+l) = M EK (s(-,t)), (4) 

or equivalently, C t+1 = M Ek ( C 4 ), where C 1 = M Ek ( P). 

In Fig. [2] we show an illustration of the CBC mode of 
operation by using Eq. Q for the first two time steps 
in the evolution of its corresponding CA. Note that text 
styling has been added to make the effect of the mode 
of operation tractable, and also, that the same plaintext 
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t = 0 

t = 1 

t = 2 

Co = 7 = [1.0.1] 

cl = 7 = [10.1] 

7 = Cl = Cl = [ 000 ] 

P = [010,001] 

c\ = e k ( 101 0 010) = 100 

C\ = E k (000 © 100) = Oil 


cl = Ek (100 0 001 ) = 000 

cl = E k { Oil 0 000) = 111 


C 1 = M Ek { P) = [100,000] 

C 1 =M Ek (P) = [011,111] 


FIG. 2: Example of the CBC mode of operation evolving over time with b = 2 blocks, n = 3 bits and block cipher 

Ek- 


and 7 values are used as the ones given in Fig. [T] As the 
mode of operation is applied iteratively, at every con¬ 
secutive time step 7 is put equal to Cl because one has 
to select a new point in phase space that is the closest 
to the reference direction, which basically constitutes an 
orientation of the new initial configuration Cq +1 into the 
direction of Cl- For reasons of uniformity, 7 is the only 
parameter that can contain this initial configuration. 

Recently, sundry methods have been developed to un¬ 
ravel the dynamical properties of utter discrete dynam¬ 
ical systems such as CA [H] ifS] 155H55] , As such, by 
relying on these for grasping the dynamics of a crypto¬ 
graphic system’s corresponding CA, we might be able 
to gain deeper insight into the dynamics of the former. 
More specifically, we will show in the remainder of this 
paper how Lyapunov exponents of CAs may be relied 
upon for identifying the mode of operation of the under¬ 
lying cryptographic systems, in the same way as these 
measures have shown their usefulness for characterizing 
utter discrete dynamical systems [H US [361 [37]. 


III. A CELLULAR AUTOMATON VIEW ON 
CRYPTOGRAPHIC SYSTEMS 

Suppose that the CA counterpart of a given crypto¬ 
graphic system S = (C, P, Me k ) is denoted as C. We can 
investigate the dynamics of the former in general, and its 
stability more in particular, by computing its so-called 
Lyapunov exponent, which quantifies how the dynami¬ 
cal system behaves in the long run if it is evolved from 
two close initial conditions. Clearly, in our setting, this 
means that we will assess the sensitivity of the equivalent 
CA C to a small perturbation of the plaintext since we 
put s(*, 0) = P. Hence, this should yield insights into the 
behaviour of the cryptographic system if the plaintext is 
perturbed. 

Taking into account that the smallest possible pertur¬ 
bation in such a two-state setting boils down to flipping 
one bit of the first block of the plaintext P, P\ constitutes 
the most influential block (initial condition) to the mode 
of operation. Besides, it holds that the initial damage 
vector h(-, 0) = P © P*, where © is the mod 2 operator, 


contains only one non-zero element. In the remainder, a 
cell c? for which holds that /i(c^, 0 ) = 1 will be referred 
to as a defective cell. After pinning down a plaintext 
P and its perturbed version P* that fulfills the latter 
criterion, we can evolve the equivalent CA C from both 
s(-,0) = P and s*(-,0) = P* for one time step in order 
to obtain s(-,l) and s*(-,l). Here, it should be recalled 
that one time step in the evolution of a CA corresponds 
to one application of the mode of operation M Ek , which 
involves the update of several blocks. Having updated 
all the blocks, we can compute the damage vector at the 
first time step 

if s*(<4, 1 ) ^ s{4, 1 ), 
else. 

Consequently, the total number of defects at the first 
time step can be computed as 

b n 

£ i = EE ?i ^ 1 )- ( 5 ) 

j=i*=1 

At this point, the reader might think that the damage 
vector during subsequent time steps should be computed 
similarly, but this is certainly not the case because one 
would then neglect the fact that the defects can cancel 
out each other due to the discrete nature of the CA’s state 
space EMUS]. The discrepancy between the number of 
defective cells and the number of defects is not yet clear 
after the first time step because every defective cell at 
t = 1 traces back to the same initial defective cell. 

However, as soon as the CA is evolved one more time 
step, a discrepancy emerges between these quantities. 
This can be understood by explicitly tracking all possible 
pathways along which defects at t = 1 may propagate and 
accumulate during one subsequent time step (see Fig. |3|) . 
It is interesting to have a closer look at how nine defects 
can arise at the second time step in the evolution of the 
CA notwithstanding there are only five defective cells, 
which should be contributed to the fact that several of 
them may enclose multiple defects due to the existence 
of several pathways along which defects can propagate. 


H4’ 1) = 
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FIG. 3: Maximal propagation of defects (black) in 
evolution space of a CA together with all possible 
pathways along which defects can propagate (arrows). 


Taking into consideration this reasoning, the correct 
number of defects at the t-th time step, denoted e t , should 
be computed in accordance with the following six-step 
procedure. 

1. Let the cryptographic system evolve for one time 
step, i.e., C 1 = Me k { P), and analogously for its 
perturbed version C 1 * = Me k ( P*), both using the 
same initialization vector 7 . 

2. Calculate the damage vector hi given by Eq. ^ 
and set the initialization vector as the last block 
calculated for both versions , i.e. , 7 = C£ and 7 * = 
C£, as explained in Section |HB 

3. For every c? for which h(c-, 1) = 1, create a replica 
R? such that Rj(c?, 1) = s*(cj, 1) = s(cj, 1), where 
s(c?, 1) is the Boolean complement of s(c 1), and 
Rl(c J q , 1) = s(c|, 1), for every c J q 7 ^ c-. Use the set 
A\ to store these replicas. 

4. Let the cryptographic system evolve one more time 
step, i.e., compute s(-, 2 ) and !?(-, 2 ), which boils 
down to evaluating Me k (Rj ) with the same 7 * for 
all replicas R £ Ai. 

5. Calculate the total number of defects at the second 
time step as follows: 

b n 

e 2= J2 ( 6 ) 

RjeA 1 0=1 *=1 

and set the initialization vector as the last block 
calculated for both versions, i.e., 7 = and 7 * = 
r 2 

6 . For every and R £ A\ for which R(c I i ,2) ^ 
s(cf, 2), create a replica Rj such that Rj(c?,2) = 
s(cj,2) and Rj(cP q , 2) = s(cP q ,2) for every c> q ^ cf. 
Use a multiset A 2 to store these replicas. 

7. Repeat steps (4)-(6) in every subsequent time step 
t + 1 in order to assemble h(-, t + 1) and A t+ 1 . 


After computing the number of defects e* at every con¬ 
secutive time step t, the rate of divergence/convergence 
of initially close phase space trajectories A (t) of a CA C 
can be obtained from: 

= , ( 7 ) 

with its limit value 

A = lim A (f), ( 8 ) 

t—t OO 

generally referred to as the maximum Lyapunov expo¬ 
nent (MLE) of C. In the framework of cryptographic sys¬ 
tems, A (t) quantifies how ciphertexts, which are obtained 
by iteratively encrypting two close plaintexts P and P*, 
behave (converge/diverge) as the number of time steps 
grows. As indicated in papers on the LE of CAs, one can 
derive a theoretical upper bound on these LEs, which has 
shown to depend on the number of neighbours mm- 
Calling to mind Shannon’s idea of diffusion, which is 
related to the avalanche effect and states that a slight 
change of the plaintext gives in worst case rise an entirely 
different ciphertext, we are able to derive a theoretical 
upper bound on the MLE of cryptographic systems. For 
instance, consider the plaintext P = 10101101 and its 
perturbed version P* = 10101100, as well as their en¬ 
cryption Ek( P) = 10101000 and Ek(P*) = 01010111 , 
respectively. In the worst case scenario, the number of 
differences may be at most 8 , which is the length of the 
plaintext N. This means that a defect in at the t-th 
time step can at most propagate to N bits at the subse¬ 
quent time step. Therefore, a mean-field approximation 
of the upper bound X m for the cryptographic systems 
becomes 

Am = j log(A‘) = log(TV) = log(fen). (9) 

Obviously, the higher the number of blocks b , the higher 
the upper bound becomes. 

Before turning to the experimental section of this pa¬ 
per, we illustrate in Fig. [4]the procedure by which the LE 
of a mode of operation Me k can be assessed. Note that 
we employed the same plaintext as in Fig. [2j By mov¬ 
ing along this table’s rows, we see the plaintexts that 
are encrypted by repeatedly applying the mode of opera¬ 
tion Me k - Note that some replicas are repeated as soon 
as the system is evolved for one time step, which is in 
agreement with the findings reported in Fig. [3] 

In order to avoid having to keep track of all path¬ 
ways individually, one can optimize the algorithm by just 
counting every unique replica once and keeping track of 
its multiplicity. For example, at t = 2 the replica R\ 
would be repeated twice, then at the subsequent time 
step this replica has two cell defects, which means four 
pathways in total at t = 3. As such, by tracking the mul¬ 
tiplicity of every defect rather than every defect itself, 
the efficiency of the algorithm increases substantially. 
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Time 

steps 


Original plaintext P 


Perturbed version P 


# defects 


C 0 =7= [101] 
P = [010, 001] 


C 0 = 7 = [101] 
p* = [on, ooi] 


e„= i 


t = i 


c =M Ek ( P) =[100,000] 

3«,1) 


C 1 = M E ( P ) = [11L 010] 

I- * I I— 1 ^ — ' * -1 

■/?;=[ 110,000] R\ =[101,000] Rl =[100,010] 


e, = 3 


t = 2 


C 2 =M Ek { C‘)= [Oil, 111] 


M e (R\) = [ 001, 101] 


M e (7?i) = [001, 111] 


M e ( 7 ?;) = [ 010 , 110 ] 



e 2 =5 


C 3 =M Ek (C 2 )= [010,011] 


m Ek (;i = [lio.oio] 

M E (Ri) = [011,011] 


M E^ R i) = [010,101] [ 
M Ek (R\) = [010,0lT]1 


/?]-[on,oi! j 
jej—[oioj.ii]| 


«].[ 010 , 001 ] 


£, = 2* 2+1+2= 7 


FIG. 4: Illustration of the 
calculation of the LE for a 
generic mode of operation and 
block cipher with b = 2 blocks 
and n = 3 bits. 


If the cryptographic system is sensitive to the plain¬ 
text from which it is evolved, the number of defects e t 
increases exponentially during its evolution, such that 
e t > Cq, and consequently, A > 0. On the other hand, 
the system should be referred to as insensitive to the 
underlying plaintext if the initial defect vanishes as the 
number of time steps increases. Such a situation implies 
that A = —oo owing to the discrete nature of a CA’s 
state space. Since cryptographic systems are designed in 
such a way that small changes in the plaintext give rise 
to substantially differing ciphertexts, it should not come 
as a surprise if A would be positive for all the modes of 
operation at stake in this paper. Still, the numerically 
assessed values of A(f) might differ significantly among 
different block ciphers and/or underlying modes of oper¬ 
ation, such that they may still be used to discriminate 
between different modes of operation. This usage will be 
illustrated in the following section. 


IV. EXPERIMENTAL RESULTS AND 
DISCUSSION 

To demonstrate the effectivity of the above method¬ 
ology, we considered two groups of block ciphers on the 
basis of their block length n. The first group encloses the 
64-block ciphers, namely DES ([£. IDEA [3? TEA [22 
and XTEA [30], which all use a k = 64 key except for 
DES that uses a key of length of k = 56 bits. The sec¬ 
ond group of block ciphers is composed of 128-block ci¬ 
phers with key of k = 128 bits: AES l2], RC 6 TTj , 
Twohsh [10], Serpent [9], Seed (3T| and Camellia [52] , 
These ten block ciphers were adapted in such a way 
that they took the plaintext P, the key K and the ini¬ 
tialization vector 7 as input variables. Moreover, these 
block ciphers were implemented with a predefined num¬ 
ber of rounds , each of which consist of several inner steps 
in the course of an encryption process and they depend 


on the specific algorithm [3] . We considered eight rounds 
for IDEA, eighteen for DES, and thirty-two rounds for 
both TEA and XTEA. Further, ten rounds for AES, 
sixteen for both Twofish and Seed, eighteen for Camel¬ 
lia and thirty-two for Serpent. Finally, we implemented 
the modes of operation in accordance with the formalism 
given by Eqs. <[l]h(|3} for ECB, CBC and OFB, and in 
Table [I] for CFB, CTR and PCBC. 

A. The dataset 

To ensure the representativity of the computed Lya¬ 
punov exponents, we computed the average A-values that 
were obtained when the CAs were evolved from differ¬ 
ent plaintexts. Hence, the A-values reported in the re¬ 
mainder represent averages calculated over an ensemble 
E = { e P | e = 1,..., 200} of 200 randomly generated 
plaintexts e P and their perturbed versions e P*, which 
were obtained by flipping only one bit in the first block 

of e P • 

Since such an ensemble was constructed for each of the 
concerned cryptographic systems, by mutually combining 
the underlying block cipher and the mode of operation, 
we considered a total of 60 combinations, i.e., ten block 
ciphers and six modes of operation. Consequently, a total 
of 12000 plaintexts were generated randomly. 

Similarly, the key I\ and the initialization vector 7 
were generated randomly in order to avoid both key rep¬ 
etitions and weak keys, which is a recommendation in 
cryptography [38| . In the remainder, we refer to the as¬ 
sembly of the 200 randomly generated plaintexts, keys 
and initialization vectors as the cryptographic dataset 
per cipher and mode of operation. Given that the block 
ciphers encrypt a plaintext by splitting it into a num¬ 
ber of blocks and subsequently transcribing every block, 
the plaintexts were generated in such a way that they 
were composed of the same number of b blocks, irrespec- 
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tive of the type of block cipher. Note that this implies 
a plaintext containing N = b x 64 bits in case of the 
64-block ciphers and N = b x 128 bits in case of the 
128-block ciphers. Thus, in order to compare A-values of 
64- and 128-block ciphers, we normalized the numerically 
obtained A with respect to A m obtained from Eq. |9]), 

B. Lyapunov exponents for the modes of operation 

We assessed A (t) for the CA counterpart of each of 
the concerned cryptographic systems. For that purpose, 
the equivalent CAs were evolved for t = 200 time steps, 
which was sufficiently long because A(t) showed conver¬ 
gence in such a way that |A(t) — A (t + 1)| < 1.19 x 10 -4 , 
being the maximum discrepancy between A (t) and A(f+1) 
at the end of the simulation. 

Furthermore the consistency of the A-values across the 
members of the different ensembles is also demonstrated 
in Fig. [5] (a), which depicts the frequency distribution of 
the standard deviation a\ (base 10 logarithm) of A200 cal¬ 
culated for the 60 cryptographic systems at stake. This 
histogram shows the similarity of A across the different 
plaintexts, as the standard deviation that comes along 
with the average MLE for the different cryptographic sys¬ 
tems is obviously small. 



(a) log.oOj*) (-) (b) A (10 3 ) 


FIG. 5: (a) Frequency distribution of the standard 
deviation cr\ (base 10 logarithm) of A200 calculated over 
the 60 combinations of cryptographic systems, (b) 
Frequency distribution of A = max({ e P | e = 

1,..., 200}) - min({ e P | e = 1,..., 200}). 


Fig. [5] (b) shows a histogram of the discrepancies 
between the maximum and minimum observed MLE 
among the members of the ensemble E, denoted by A = 
max({ e P | e = 1,..., 200}) — min({ e P | e = 1,..., 200}). 

The A-values obtained for the investigated datasets 
lie between 3.99 x 10 -5 and 4.79 x 10 -3 . The maxi¬ 
mum and minimum A correspond, respectively, to the 
pairs of modes of operation with underlying block cipher: 
IDEA-OFB and Serpent-CFB. All together, these small 
discrepancies demonstrate once more that the A-values 
are highly consistent across the different plaintexts within 
the ensemble E , such that we may draw conclusions on 
their average values. 

For simplicity, we mainly restrict our attention to 


IDEA and AES as representative members of the fami¬ 
lies of 64- and 128-block ciphers (see Fig. [6]), respectively, 
since similar results were obtained for the other block ci¬ 
phers in the same families (see Fig.[7|. These figures de¬ 
pict the LE curves for all the modes of operation versus 
the number of time steps—note that the standard devia¬ 
tion of each curve is not shown since they are very small. 
Taking into account Eq. & the upper bound for the 
64-block ciphers is A m = log(N) = log(320) « 5.76832, 
while it is A m = log(640) ~ 6.46147 for the 128-block 
ciphers were employed to normalize the A-values, respec¬ 
tively. 
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FIG. 6: Lyapunov exponent versus the number of time 
steps for different modes of operation, being ECB, 
CBC, OFB, CFB, CTR and PCBC, using the (a) IDEA 
64-block cipher and (b) AES 128-block cipher. The 
curves represent the average LE A over 200 initial 
plaintexts during t = 200 times steps, which are 
normalized with respect to A m obtained from Eq. ©• 

From both figures, it is quite easy to discriminate be¬ 
tween the modes of operation, except for the overlapping 
curves of CTR and OFB. It is interesting to have a closer 
look at how their corresponding LE increases almost ex¬ 
ponentially during the first few time steps. This be¬ 
haviour can be explained by reconsidering the equations 
in Table |T] Indeed, CTR uses an inner pseudo-random 
number generator and OFB uses a new initialization vec- 
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FIG. 7: Lyapunov exponent versus the 
number of time steps for different 
modes of operation, being ECB, CBC, 
OFB, CFB, CTR and PCBC using 
64-block ciphers: DES, TEA and 
XTEA, and 128-block ciphers: RC6, 
Twofish, Seed, Serpent and Camellia 
with b = 5 blocks and n = 64 bits. The 
curves represent the average LE A over 
200 initial plaintexts during t = 200 
time steps, which are normalized with 
respect to X m obtained from Eq. 


tor at every time step, such that the number of defective 
cells will not only increase due to discrepancies natu¬ 
rally emerging between the plaintexts, but also due to 
the additional defects introduced through these random 
processes. In contrast, CFB displays the opposite effect, 
i.e., its curve decays exponentially. 

Further, the Lyapunov exponents of ECB and PCBC 
are constant, since the number of defective cells grows 
proportionally through time. For instance, this be¬ 
haviour can be explained by considering that ECB at¬ 


tains A 200 = 3.46565 ± 1.35 x 10 -3 with the IDEA 
block cipher, which means that the number of defects 
e t = e ( A20 °) = 31.99728 ± 4.32 x 10 -2 equals approxi¬ 
mately n/2, being almost 50% of the block length. The 
same behaviour occurs for the AES block cipher, where 
e (A 200 ) = 63.994055 ± 4.29 x 10" 2 . 

The original values of the exponents and standard devi¬ 
ation found at the end of the simulation are summarized 
in Table [TTJ Furthermore, we can discriminate between 
modes of operation in families of block ciphers not only 
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TABLE II: MLE A 200 and standard deviation (xlO 3 ) for the (a) 64- and (b) 128-block ciphers. 


(a) 


A 200 

IDEA 

DES 

TEA 

XTEA 

ECB 

OFB 

CBC 

CTR 

CFB 

PCBC 

3.46565 ± 1.35 

5.04796 ± 4.00 

3.55597 ± 0.96 

5.04817 ± 3.55 

0.15925 ± 0.07 

5.07496 ± 1.91 

3.46570 ± 1.27 

5.04800 ± 3.89 

3.55598 ± 0.93 

5.04818 ± 3.81 

0.15925 ± 0.07 

5.07465 ± 2.01 

3.46554 ± 1.23 

5.04817 ± 3.87 

3.55596 ± 0.81 

5.04853 ± 4.14 

0.15926 ± 0.06 

5.07467 ± 1.91 

3.46564 ± 1.25 

5.04816 ± 3.68 

3.55598 ± 0.88 

5.04787 ± 4.15 

0.15925 ± 0.07 

5.07451 ± 1.87 


(b) 


A 200 

AES 

RC6 

Twofish 

Seed 

Serpent 

Camellia 

ECB 

OFB 

CBC 

CTR 

CFB 

PCBC 

4.15879 ± 0.67 

5.73875 ± 2.82 

4.24921 ± 0.52 

5.73891 ± 2.83 

0.17311 ± 0.05 

5.76812 ± 1.31 

4.15885 ± 0.75 

5.73879 ± 2.96 

4.24913 ± 0.56 

5.73876 ± 2.70 

0.17311 ± 0.05 

5.76815 ± 1.27 

4.15876 ± 0.68 

5.73869 ± 2.86 

4.24920 ± 0.56 

5.73882 ± 2.79 

0.17311 ± 0.05 

5.76792 ± 1.37 

4.15887 ± 0.7 

5.73860 ±2.84 

4.24915 ± 0.51 

5.73904 ±2.78 

0.17311 ± 0.05 

5.76816 ± 1.40 

4.15887 ± 0.75 

5.73840 ± 2.82 

4.24919 ± 0.56 

5.73866 ± 2.74 

0.17311 ± 0.05 

5.76792 ± 1.38 

4.15884 ± 0.76 

5.73885 ± 3.02 

4.24920 ± 0.55 

5.73871 ± 2.81 

0.17311 ± 0.05 

5.76806 ± 1.30 


by visual inspection of the graphs, but also by means 
of statistical tests to demonstrate it. Paired t-tests re¬ 
vealed that there are statistically significant differences 
between ECB, CBC, CFB and PCBC mutually at the 
5% significance level. However, no statistically signifi¬ 
cant difference was found between CTR and OFB. These 
observations were found in both families of 64- and 128- 
block ciphers, which also allows the proposed method to 
discriminate between modes of operation of different fam¬ 
ilies, for instance, IDEA-CTR can be distinguished from 
AES-CTR. 

Moreover, by means of the washer method [39], we an¬ 
alyzed statistically whether a curve (for one of the ensem¬ 
ble’s members) for a given mode falls within the envelope 
of curves obtained for the entire ensemble for another 
mode of operation. This procedure was repeated for all 
the curves within the given mode of operation at the 
5% significance level, which indicated that at most 6.4% 
and 11.1% of the observations of the 64- and 128-block 
ciphers constituted outliers. These outliers exist at the 
beginning of the simulation. We can also notice that the 
CFB curve behaves completely different from the other 
ones (non overlapping and not too close), which means 
that the CFB falls outside of the range of the LE for the 
other modes of operation. 


C. Analysis of the LE of cryptographic systems 

In this section, we will examine and discuss the pre¬ 
ceding results in more detail. 

a. Initial conditions P and P* Recalling that 
an assessment of the Lyapunov exponent involves track¬ 


ing the CA evolution from two initial configurations for 
which it holds that h(-, 0) = P © P* and given the fact 
that we are dealing with Booleans, the smallest possi¬ 
ble perturbation in such a setting implies flipping the 
right-most bit of the plaintext. However, we observed 
that the position of the flipped bit does not affect the 
numerical value of the Lyapunov exponent, which can be 
understood by recalling the theoretical upper bound on 
the Lyapunov exponent of cryptographic systems. In¬ 
deed, the encryption of the plaintext with a bit flipped 
at an arbitrary x position at the first plaintext block 
(1 < x < n) may, in the worst case, affect all the bits of 
the ciphertext. 


b. Cryptographic signatures From Figs. [6j[7j it 
should be noticed that the normalized A-values do not 
attain 1, because none of the cryptographic systems at 
stake is attaining the worst case scenario mentioned in 
Section III This can be explained by the fact that this 
is an ideal and desirable “scenario” for cryptographic 
systems and that the block ciphers at stake have their 
limitations. Furthermore, we found an unexpected phe¬ 
nomenon with regard to the families of 64- and 128-block 
ciphers. A closer look at the curves tied up with these 
families shows that, in fact, we can also differentiate be¬ 
tween block cipher families. 


c. Number of blocks In order to investigate the 
importance of the number of blocks 6, we computed the 
Lyapunov exponents for the same cryptographic systems 
but with 2,4, 8 ,..., 20 blocks. In Fig. [8] one can see the 
LE curves for each mode of operation using the IDEA 
block cipher as a function of b. From this figure it is 
clear that each curve is somehow lifted upwards with the 
number of blocks b. 
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FIG. 8: Comparison of the LE for different modes of operation with 2,4, 8 ,..., 20 blocks using IDEA. Each plot 
contains curves which represent the average LE A over 200 initial plaintexts during t = 200 time steps of the IDEA 

64-block cipher. 


From Eq. ([9]), it is expected to get higher A-values when 
the length of the plaintext increases. In fact, this occurs 
for all the modes of operation at stake, except for ECB. In 
particular, this indicates that irrespective of the number 
of blocks b of the plaintext, the ECB’s number of defects 
will attain approximately n/ 2 , which demonstrates that 
the first block is the only one affected by the initial condi¬ 
tions, while the other blocks do not spread defects. Fur¬ 
thermore, we obtained the same results with both groups 
of 64- and 128-block ciphers and the six modes of opera¬ 
tion. 


d. Empirical MLE In Section III we provided 
some mathematical foundations to obtain the theoreti¬ 
cal upper bound A m for cryptographic systems. How¬ 
ever, the lack of an analytical upper bound for a specific 


mode of operation is an important limitation remaining. 
Perhaps, this limitation may seem contradictious to cryp¬ 
tography aims, because it indicates to find an analytical 
way to obtain the essence of a cryptographic system that 
is designed to avoid this gap. 

Here, we opted for an alternative approach, i.e., an 
empirical estimation of the upper bound for the modes 
of operation as a function of the number of blocks, based 
on a multiple regression analysis, to gain a deeper insight 
into the behaviour of the LE curves. In Fig. [9] we show 
the MLE A obtained as a function of b for the IDEA and 
the corresponding regression curves (see also Fig. [l0| for 
the AES block cipher). The coefficients of determination 
also demonstrate the strong influence by the number of 
blocks b. 
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FIG. 9: An empirical analysis of the upper bound for the inodes of operation based on IDEA A200 with different 

number of blocks (i? 2 = 0.99). 
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FIG. 10: An empirical analysis of the upper bound for the modes of operation based on AES A200 with different 

number of blocks ( R 2 = 0.99). 


e. Computational considerations Although the 
algorithm has been enhanced with different strategies to 
avoid tracking each individual defect, somehow the com¬ 
putational cost of the proposed methodology is very high, 
since the computational time dramatically increases as 
the number of blocks of the plaintext P grows. 


V. CONCLUSIONS 

There is a strong relationship between cryptographic 
systems and discrete dynamical systems. In this work we 


have outlined an approach to envisage a cryptographic 
system as an equivalent one-dimensional CA in order to 
assess its stability characteristics by computing the Lya¬ 
punov exponent of the cryptographic system. The pro¬ 
posed method was capable of distinguishing six crypto¬ 
graphic modes of operation, namely ECB, CBC, OFB, 
CFB, CTR and PCBC using two families of block ci¬ 
phers DES, IDEA, TEA and XTEA of 64 bits, as well 
as AES, RC6, Twofish, Seed, Serpent and Camellia of 
128 bits. Moreover, the proposed method is also capa¬ 
ble of distinguishing between the two families of 64- and 
128-block ciphers. The results showed that the Lyapunov 
exponent evolution pattern is maintained for each mode 
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of operation and this is independent of the block cipher 
used. 

We also provided a mathematical basis to obtain the 
theoretical upper bound X m for the cryptographic sys¬ 
tems. However, further work is required to theoretically 
analyze the upper bound on the LE for each of the modes 
of operation. Here we only used an empirical assessment 
to fit the curves. Finally, our results suggest that even 
modern and contemporary algorithms yield patterns that 
should be explored. Thus, our theoretical framework may 
offer a novel alternative to explore the weakness of these 
cryptographic systems and may ultimately lead to a clas¬ 
sification of these systems according to their strength. 
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